Re: Firewall RISKS

["MIKE SHAW" <mas () sbscorp com>]

There are a number of problems with this advice...noted below (some snipping):

> Firewalls do not "prevent" hacks, as most people believe. They simply
> reduce RISKS by reducing the number of ports or IP addresses that may
> be exposed inadvertently on the Internet. The remaining ports (such as
> e-mail, web, and FTP servers) can often be hacked.

Firewalls can indeed prevent hacks, especially firewalls with an application proxy.  An application proxy will block 
many known attacks and some attacks with the right signature, such as overflow attacks in a mail server.  In addition, 
firewalls do extensive logging which aids in seeing an incoming hack before it occurs, as well as tracking down an 
intruder if someone does do a dirty deed.

This is not an excuse to neglect patching applications, operating systems, or deleting default scripts.  But to say 
that a firewall does not prevent hacks is misleading.

> In practice, firewalls probably increase RISKS overall. Consider a
> study of Berlin taxi drivers who were given anti-lock breaks: the taxi
> drivers started driving more aggressively, and had more accidents.
> Therefore, the study concluded that anti-lock actually INCREASES RISKS.
> What is really going on is that firewalls/ABS only decrease RISKS if
> behavior is left unchanged, but the added security encourages RISKy
> behavior. 

Good point at the end, but the analogy is critically flawed.  A firewall is not an enhancement like ABS.  It is an 
*essential* part of an overall security strategy.  ABS and firewalls don't increase the risk, the behavior does.  
Relying on such a conclusion gives the impression that doing away with a firewall (or any security structure for that 
matter) might actually be a good thing.

> The ColdFusion bug was not really Allaire's fault -- the bug was in a
> sample script that Allaire recommends be removed from a production web
> server. Almost every web-site creation package like ColdFusion has the
> same problem, including Microsoft's ASP scripting, FrontPage web
> hosting, and sample CGI programs. Administrators feel safe behind
> firewalls and do not diligently check their web servers for these
> problems. For the most part, crackers who intend to deface web pages or
> steal credit card information from web servers do not care about
> firewalls that might protect the target servers.

Oh yeah?  We have quite a few port scans run on our perimeter, and on a regular basis.  The first thing a cracker will 
do is map your site looking for vulnerable ports/hosts.  A solidly configured firewall will not only thwart these 
mapping attempts, but will protect against many exploits that may be tried.  A cracker DOES care about a firewall, 
since it dramatically cuts down on his options.

Your points about only reducing risk are valid, but this is true of any security measure.  To degrade the necessity and 
importance of a firewall is not helpful to anyone trying to justify and implement a security plan.  What would be 
better is to simply recommend a complete and comprehensive security policy, with a well configured firewall as a major 
part.

-Mike